mirror of
https://github.com/QubesOS/qubes-doc.git
synced 2024-10-01 01:25:40 -04:00
Make firewall rules spec more precise
Define options order and explicitly forbid duplicates.
This commit is contained in:
parent
37523d315a
commit
89ecd9a8fe
@ -98,19 +98,22 @@ Possible options for a single rule:
|
|||||||
echo request, valid only together with `proto=icmp`
|
echo request, valid only together with `proto=icmp`
|
||||||
- `dpi`, value: Deep Packet Inspection protocol (like: HTTP, SSL, SMB, SSH, SMTP) or the default 'NO' as no DPI, only packet filtering
|
- `dpi`, value: Deep Packet Inspection protocol (like: HTTP, SSL, SMB, SSH, SMTP) or the default 'NO' as no DPI, only packet filtering
|
||||||
|
|
||||||
|
Options must appear in the rule in the order listed above. Duplicated options
|
||||||
|
are forbidden.
|
||||||
|
|
||||||
Rule matches only when all predicates matches. Only one of `dst4`, `dst6`,
|
Rule matches only when all predicates matches. Only one of `dst4`, `dst6`,
|
||||||
`dstname`, `specialtarget` can be used in a single rule.
|
`dstname`, `specialtarget` can be used in a single rule.
|
||||||
|
|
||||||
If tool applying firewall encounters any parse error (unknown option, invalid
|
If tool applying firewall encounters any parse error (unknown option, invalid
|
||||||
value etc), it should drop all the traffic coming from that `SOURCE_IP`,
|
value, duplicated option, etc), it should drop all the traffic coming from that `SOURCE_IP`,
|
||||||
regardless of properly parsed rules.
|
regardless of properly parsed rules.
|
||||||
|
|
||||||
Example valid rules:
|
Example valid rules:
|
||||||
|
|
||||||
- `action=accept dst4=8.8.8.8 proto=udp dstports=53-53`
|
- `action=accept dst4=8.8.8.8 proto=udp dstports=53-53`
|
||||||
- `action=drop dst6=2a00:1450:4000::/37 proto=tcp`
|
- `action=drop dst6=2a00:1450:4000::/37 proto=tcp`
|
||||||
- `specialtarget=dns action=accept`
|
- `action=accept specialtarget=dns`
|
||||||
- `specialtarget=dns action=drop proto=tcp` - drop DNS queries sent using TCP
|
- `action=drop proto=tcp specialtarget=dns` - drop DNS queries sent using TCP
|
||||||
- `action=drop`
|
- `action=drop`
|
||||||
|
|
||||||
### Keys set by VM for passing info to dom0 ###
|
### Keys set by VM for passing info to dom0 ###
|
||||||
|
Loading…
Reference in New Issue
Block a user